Views:

Create, import, and manage filters to detect events in your environment.

Custom filters are user-defined filters that allow you to tailor the detection of specific threats and suspicious behaviors to your environment's unique needs. Trend Vision One uses custom filters to detect security events which appear in Observed Attack Techniques. You can then incorporate these filters into custom detection models to generate alerts and insights in Workbench, allowing you to transform event detection into a complete threat monitoring workflow.
The Custom Filters screen (XDR Threat InvestigationDetection Model ManagementCustom Filters) allows you to create and manage custom filters. Custom filters consist of:
  • Basic information
  • Event type
  • Event ID or vendor
  • A query for detecting events in your environment
The event type, and event ID / vendor define the type of data queried by the filter. For example, ENDPOINT_ACTIVITY queries endpoint data from endpoint-based data sources such as Endpoint Sensor. Selecting TELEMETRY_FILE, further refines the query to only file events within endpoint activity data. For more information about event types and data sources, see Search method data sources.
Important
Important
You can add a maximum of 50 custom filters. If you need to add more filters, contact your support provider.
The following table outlines the actions available in Custom Filters:
Action
Description
Add custom filters
You have various ways of adding custom filters:
Export custom filters
  • If you want to export some of your custom filters, select one or more filters, then click Export Selected Filters.
  • If you want to export all your custom filters, click export_button=GUID-C683DEEE-C19C-484D-A5B1-4CA9D1794756=1=en-us=Low.jpg.
Trend Vision One generates a password-protected ZIP file that contains all your custom filters (one YAML file per filter). When the export completes, click dddna_summary_detection_copy=GUID-4DE35BE5-57A5-4919-BF9C-5EC95F9CA8FD=1=en-us=Low.png under Export Custom Filters to copy the password for the ZIP file.
Search and filter the filter list
Use the following options to locate specific custom filters:
  • Severity: Filter by low, high, or critical severity
  • Event type: Filter by data source types (for example ENDPOINT_ACTIVITY)
  • Last updated: Filter by when filters were last modified
  • Search bar: Search by filter ID, name, or query content
See the details of a filter
Click a filter name to view detailed information about the custom filter.
Edit a custom filter
Click edit_icon=GUID-1F1D1164-5310-4D6D-ACD0-6049C86960AF.png to edit a custom filter.
WARNING
WARNING
Changing a custom filter affects how the models that use the filter trigger Workbench alerts.
Delete a custom filter
Click trash_icon=GUID-47cf6867-6315-438e-8670-86ff36f22a28.png to delete a custom filter.
You can only delete custom filters that are not included in any model.
Related information